Jboss 4.0.1sp1 seems to have the possibility to authenticate against roles. However this didn't work. Looking at the source code, it seems that you forgot to register the subject with the SecurityAssociation class in the class org.jboss.net.axis.server.JBossAuthenticationHandler. Here is what the validate method becomes if we do so: